Actions sur le document

Install and setup OpenVPN on Debian 4.0 Etch

OpenVPN is a software allowing to create virtual private network without using such technologies as PPtP (Microsoft) or IPSec. It is available on many operating systems (Microsoft Windows, GNU / Linux, MacOS X, ...). It a simple way to manage a virtual private network between various operating systems and computers.

If you have correctly set up easy-rsa, you can use the default values.

Note : Some free certification authority exists and can be used to sign HTTPS servers certificates. This is not necessary for a OpenVPN server, but if you want to do this, I think it is possible. To find more about this, visit CAcert.

Server certificate creation

We will now create our server certificate. This is done by running these commands :

Note : You can protect your server certificate with a password. If you choose to do this, the password will be asked each time you need to create or revoke clients certificates. DO NOT LOOSE IT. It's a security asset, but it is not mandatory. Take your descision according to your paranoïa level.

The script ask you to confirm the certificate signature. Answer Yes at both asks.

Last step

The last step is to restart the VPN server :

/etc/init.d/openvpn restart

VPN clients management

A client certificate can be created or revoked. The revocation allow to eject an unwanted client from our virtual private network. It's a process i've ignored for some time, since i did not need it. But now, i can see that it is very usefull.

First, we download two scripts that easy client revocation and addition.

You have now many tar.gz files that you can copy on clients computers and extract we this command line :

tar --directory /etc -xzf votre-fichier-client.tar.gz

Now, you need to install OpenVPN on clients computers and start or restart it :

apt-get install openvpn liblzo1
/etc/init.d/openvpn restart

If all went well, you should see a message telling you that everything is OK. The following command line allow you to get more informations about your VPN link :

ifconfig tun0

Going deeper

The first part of this article helped you to create a simple Virtual Private Network where clients can't communicate between each others and with the server. It's fine but in most case, it is not sufficient. We will see here how we can enhance our VPN. The first step is to run this command lines :

Allowing VPN clients to access VPN server local network

If you want to access your VPN server local network from your VPN clients, you should first make sure that your clients local networks does not use the same IP address range that your server local network. If all is checked, you can signal to your clients which route to use to access your server local network :

Once this done, we will play with the iptables configuration to make a NAT router from our VPN server. Yep, i've said NAT. I've see a lot of complicated howtos to setup a complete routing between VPN clients and the server local network, but i think it is totally overkill for most needs.

Netfilter (IpTables) configuration

First, if needed, we create the iptables ip-up.d script. This script will be run each time the network is started:

Just want to say what a great tutorial this was. very well thought out and executed. the only thing i had to comment on was the fact the the current iptables (as of 6/1/08) does not work with the line `gunzip --to-stdout /usr/share/doc/iptables/examples/oldinitdscript.gz > /etc/init.d/iptables` i ended up getting it to working perfectly using an old stable (backports) version of the iptables package. specifically `iptables_1.2.11-10_i386.deb` from a german mirror. the file can be found for download at `http://packages.debian.org/sarge/i386/iptables/download` for anyone who ran into the same problem.

Before retrying the crl creation. This guide must be followed from start to end without session interruption. Then, you can use client creation and revocation scripts whenever you want. But the configuration must be done in one session.

The file /etc/bind/vpndomain.vpn.hosts is like this:
-----------------------------start-------------------------------
$ttl 38400
vpndomain.vpn. IN SOA server.localdomain.lan. root.localdomain.lan. (
1220005614
10800
3600
604800
38400 )
vpndomain.vpn. IN NS server.ceno.lan.
user1.vpndomain.vpn. IN A 10.8.142.5
user2.vpndomain.vpn. IN A 140.8.142.9
server.vpndomain.vpn. IN A 10.8.142.1
------------------------------stop---------------------------
and the file /etc/bind/10.8.142.rev is like this:

I am using Debian Lenny as my client. I tried the last section "Configuring Linux clients to use DNS informations provided by VPN server" in this guide to set up my client to update the DNS automaitcally when it receives the value from the OpenVPN server. But I observed that there was some problem in the sanityCheck function in client.up script and my openvpn connection kept crashing. So I commented out this function call in client.up script (as it didn't seem to do anything really useful). Alternatively the line "up /etc/openvpn/client.up" in /etc/openvpn/vpndomain.vpn.conf can be commented out instead of modifying client.up script. Now my resolv.conf was getting updated whenever I started my vpn client (/etc/init.d/openvpn restart). But I observed that whenever my local lan dhcp client fetched its information from my local DHCP server, /etc/resolv.conf was being overwritten.

Luckily I observed that the openvpn which comes with Debian Lenny has an /etc/openvpn/update-resolv-conf script which serves the same purpose. Just add these two lines to the end of /etc/openvpen/vpndomain.vpn.conf in your client machine and you shall observe that /etc/resolv.conf is updated automatically whenever you establish a vpn connection and it does not even get overwritten:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

(Be sure to install the resolvconf package using apt-get as the script update-resolv-conf makes use of the executable /sbin/resolvconf).

Also I forgot to mention that you will have to pass the option "--script-security 2" to openvpn so that it can call the external script update-resolv-conf. In Debian Lenny, this can be set by modifying the OPTARGS variable in /etc/default/openvpn as below:

Thank you very much for the excellent work.
I am facing an issue so far.
When I issue the:
source /etc/openvpn/easy-rsa/vars
/etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
I receive the following error:
3848:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 133
Thanks in advance for your reply.
Best regards.

Dear lwolf,
I checked the /etc/openvpn/easy-rsa/vars file and all values were set according to the guide, except that instead of your suggested:

export KEY_CONFIG="/etc/openvpn/easy-rsa/openssl.cnf"

I used

export KEY_CONFIG=$D/easy-rsa/openssl.cnf

When I changes the vars file to reflect your suggested value I received an additional information in the error:

# source /etc/openvpn/easy-rsa/vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys
# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 133 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
3407:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 133

Hi avaton,
I had the same problem as you before. So I tried to fix the openssl.cnf.
The problem is the variable. I insert my wished default values directly and it worked.
I don't know how to insert the values correctly via a variable but this will work and maybe lone wolf will fix this in his downloadable version oh the openssl.cnf

I found this article amazingly helpful and so have been the comments so I thought I should do what I can and return the favor =}

I came to the step and problem as avaton:
localhost:/etc/openvpn/easy-rsa# chmod +x /etc/openvpn/easy-rsa/make-crl
localhost:/etc/openvpn/easy-rsa# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 145 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
2473:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 145
localhost:/etc/openvpn/easy-rsa#

So I looked at my version of openssl.cnf at line 145 and saw this bit of code:
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN

I looked at the openssl.conf lwolf provided and compared the two openssl.cnf's ( I used the default openssl.cnf provided by /usr/share/doc/openvpn/examples/easy-rsa/2.0/ ) and made the following changes to my openssl.cnf:

After this, I tried to run the command again:
localhost:/etc/openvpn/easy-rsa# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
localhost:/etc/openvpn/easy-rsa#

It went through without complaint and checked my keys directory and the crl.pem was there. Hope this is able to help someone!

This mean that there is something using port 1194. This is propably a openvpn server still running. I only can advise you to take a look at the end of /var/log/syslog to diagnose the source of the problem.

so.. my client have windows:
you just say for linux client... what's files need for windows client?
all is okay before this line which is for linux client:
tar --directory /etc -xzf votre-fichier-client.tar.gz

The files needed are the sames for linux and windows client. But for a windows client, you'll need to rename the conf file to give it the .ovpn extension, and edit it to change the path to keys for something that fit windows c:\.

I'm going to update this guide soon so that it create windows configuration files. (by soon i mean somewhere between next week and next year :( (i've not a great amount of free time currently))

Hi, great how-to, thanks for that.
As far as Windows is concerned with OpenVPN binary distribution for windows it is necessary to follow these steps:
- untar config files into C:\Program Files\OpenVPN\config
- rename <client>.conf file to <client>.ovpn
- change options in <client>.ovpn to point to <client>-keys directory in Windows file system, the proper notation is key, it should look like that: 'C:\\Program Files\\OpenVPN\\config\\<client>-keys\\ca.crt' so you have to put path in quotes (due to spaces used in directory names) and use double backslash (\\) cause one backslash is interpreted as control character.

As far as installation for Debian 5.0 Lenny some changes have to be applied. In my case original easy-rsa directory does not contain any files but two directories names 1.0 2.0 which apparenty stands for OpenSSL version. Choosing files in 2.0 and copying then to /etc/openvpn/easy-rsa worked fine. There was only one exception, 2.0 does not include /etc/openvpn/easy-rsa/make-crl needed to create crl.pem file. Easy solution to that problem (very simplistic) was to copy make-crl from 1.0 - that worked very well.

eth0 is the default ethernet "alias". If it is not present, you are probably using a wifi connection. Just find the name of your interface using "ifconfig", and then replace "eth0" by this name in the command line. (you may also wan to remove the "push route" line at the end of your server.conf.

Increasing the asymmetric key length only increases authentication time, it will not cause your tunnel to go more slowly. The servers use the 1024/2048 bit keys to talk, then once they trust each other use a session key to actually encrypt data, which is symmetric.

I wasn't able to modprobe tun and thus not being able to start OpenVPN.
This because I'm using a VPS without much of the stuff that comes with a standard install.
What I had to do was to install module-init-tools (apt-get install module-init-tools).
Thanks alot man!

hi, it is possible to use this tutorial on Ubuntu? I have Ubuntu 8.10 Server edition.

What is the difference between "original files of the easy-rsa" (/usr/share/doc/openvpn/examples/easy-rsa/) and files which are downloaded in this guide. For example:
http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/vars
http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/openssl.cnf
...

ifconfig eth0 | grep inet | \
sed -e 's/.*:\([0-9\.]*\)[0-9]\{1,3\} .*:\([0-9\.]*\) .*:\([0-9\.]*\).*/push "route \10 \3"/g'
Will in my case look like this:
push "route xxx.xxx.xxx.20 255.255.255.0"
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
And the line "inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link" shouldn't be there and also the route xxx.xxx.xxx.20 should in my case be xxx.xxx.xxx.21.
I have NO idea how to do those advance sed scripts, I'm just changing it in the config when it've been added.
I just thought you should know!
Thanks for the best guide!

This script is executed in the same folder as the .tar.gz configurations. It will create .ovpn configurations that will be compressed into .tar.bz2 archives.
Quite useful when distributing the configurations to Windows users.

Even more automated now. The only thing you need to do now is enter the information. Made all the certification creating automated.
I've added an client creation script.
Howto use:
Install openvpn and openssl.
Extract openvpn_autoconf.tar.bz2 into /etc/openvpn/.
run: sudo /etc/openvpn/auto_config.sh
Enter information.
Use the username.tar.bz2 files, give them to the users. If there's linux users, rename the configurations from .ovpn to .conf.
Add client: sudo /etc/openvpn/addclient.sh username

Everything I've done here is thanks to this guide. :)
But this will maybe make it easier to install OpenVPN on alot of server etc.
There's still alot of work to do.

Hi Lone-wolf
gz on your very good howto, i have learned a lot from you!
all i had to change for debian lenny and squeeze is:
Instead of /etc/openvpn/easy-rsa/<script-name>
it's /etc/openvpn/easy-rsa/1.0/<script-name>